What does it have to do with phone numbers, you might think? Well, it's not that obvious.
I have beed using FairEmail app to read emails on my phone for many years. Recently, Google made this change, so I thought I need to take some actions to make sure I can continue using my favourite email app. After reading a bit, everything looked pretty simple:
- I could add my email account to my phone and login using google's native authentication methods, or
- «you can use an app password, please see below.»
Sure I don't want to add google's account to my phone just to be able to receive emails via IMAP, so I'll just generate separate app password for my email app, right?
Well, for some reason it's not possible to generate app passwords unless you have 2FA enabled. The option is just not there.
What can be simpler than adding 2FA to my account? I use password managers and my passwords are super strong, but I have no other choice, I'll have to use an authenticator app to continue reading emails on my phone, doesn't make much sense but anyway…
You can't just scan a QR with TOTP secret and enable 2FA for your account. Well, you can, after you enable 2FA by SMS using your phone number, or 2FA by notification on the phone, after you add google account to your phone. But using an authenticator is an «additional method» which is not available until «primary» 2FA method (SMS / phone number) is added. Oh, you can give away your phone number first, enable 2FA, after 2FA is already enabled you can remove 2FA by SMS and keep using authenticator app as your 2FA method, it's simple.
I guess I'll just have to stop using google. Thanks for making my life more difficult and caring about my security, Google.
TL:DR; You can't use «less secure» apps (apps other than official gmail app) to sync emails if you don't want to link your account to your phone number or add google account to your phone.
Here's a list of things that are wrong with what Google does:
- If you want to read your email, you have to use app specific password. I'm ok with that.
- You can't generate app specific passwords if you don't have 2FA enabled. That's some artificial limitation made to force you into adding phone number to your account.
- You can't use authenticator app to enable 2FA. I have no idea why SMS which is the least secure way to send information is a primary method and authenticator app which can be set up by scanning QR from the screen without sending any information at all is «secondary» and can only be used after you give your phone number.
- You can use «notification» to confirm it's you, but you can only do that on the phone. I'm currently logged in in my browser, certainly I could confirm any login attempt from that same browser, wouldn't that be a second factor?
- Nowhere in announcements or help pages or in the Google Account interface they tell you that you can't generate app passwords if you don't have 2FA. The button is just missing and you wouldn't even know it should be there unless you search on the internet.
- Nowhere they tell you the only way to enable 2FA is to link your account to your phone number or to your android/iphone device, the options are just not there.
All of this is just bizarre and ugly. I have no idea why other people are not complaining, probably most of them just accepted that and added phone numbers.
Are you sure about that? I don't think this is true. I definitely don't have a phone number linked to my Google Account and I have TOTP enabled as well. They even have the Advanced Protection mode which doesn't allow SMS or the authenticator app.
Really though, you should do the last thing. Buy some security keys and enable Advanced Protection.
Only then you can add other authentication methods (this a hardware key) and remove your phone as an option.
Source: went through this nonsense a couple years ago and then again a couple months ago with a different account.
I set up 2FA to use Yubikey hardware keys for a google account, and was then allowed to generated app passwords. No phone number has ever been attached to the account.
I do agree that not allowing app-passwords to be generated without setting up 2FA is coercive and seems hard to justify, and it is plausible that it is being used to push people into attaching their phone numbers to their accounts. If I recall right, the current language for the setup process skews heavily toward phone numbers and does not do a good job of highlighting other (more privacy oriented) alternatives (as may be evidenced at least in the case of OP).
So the rules can vary by region
I'm really glad that I've never used a gmail address for email before, I'd hate to be stuck with using anything run by Google.
Companies using google apps, keep in mind, you pay money for a service but if there's google involved, you're still a product, just avoid it
You always need to add a phone as your first MFA method.
A simple hack though:you can add other methods, then remove phone.
Your account was likely created before phone MFA was mandatory (as the first method).
If you use an Android phone, you most definitely do have a phone number associated with your Google Account. Android sends your IMEI and SIM card info to Google servers.
Agreed
> You can't use authenticator app to enable 2FA. I have no idea why SMS which is the least secure way to send information is a primary method and authenticator app which can be set up by scanning QR from the screen without sending any information at all is «secondary» and can only be used after you give your phone number.
The amount of people getting locked out of their account because they lost the phone with the auth app would be unacceptably large, is my guess. Like people lose their phones all the time. Simjackings are rare.
It might have something to do with not wanting to have tons of spam accounts out there? Do they have code to keep a closer eye on unverified accounts?
Or preventing broken devices from locking people out, in a "We must protect users from themselves" kind of way?
Google is a mass market company, clearly not a privacy company, anyone who really wants to not be constantly tracked should probably stay away for many more reasons than this.
Some sites (e.g. Scaleway.com) won't accept VOIP numbers: they require numbers from actual mobile networks. That is a pain for me since my main phone# is a VOIP number that forwards to my mobile. I do that so I can change my mobile number and just update the forwarding target, or can forward to a landline if I'm someplace with a lousy mobile signal, etc. All of this sucks.
some (like visible) allow you to sign up without providing any of your own PII
I used to constantly get emails about suspicious logins detected simply from moving around hotspots with my phone trying to log into IMAP. This was until I enabled the app password thing, which generated a password that's both shorter and uses less different characters than my old IMAP password.
None of the service providers who claim to fix the issue are worth their weight in salt. Shape, Akamai, none of them have a grip on the problem because the attackers are constantly evolving. As you can see, even Google is capitulating despite all the fud that people on HN spread about the company being omniscient.
Anyone who thinks this is about advertising/collecting personal data is out of their minds.
The worst part is nobody can talk about it because anything you reveal about your problems can give the attackers a massive edge.
250M login attempts times a few seconds of CPU time is a lot of compute cost to inflict on an attacker who is carrying out the same attack against a bunch of other services at once, and virtually nothing to the few thousands of active users who should only be logging in once every few months each.
And yes, a few extra seconds of logon time is viable, because people are used to the login process taking a few seconds and they don't do it very frequently.
"Credential stuffing" is straight-up an invalid excuse for asking for someone's phone number.
In a normal attack, there are maybe 2-3 requests per hour that come from each hacker-owned device. The only thing that hashcat would do is drastically increase power consumption at no cost to the attacker, and turn the application into a battery drainer on mobile devices.
So no, Hashcat is not an adequate solution.
Some of your attackers are going to run your proof-of-work algorithm on a 3090 Ti GPU and put loads of work into optimising their setup.
Some of your legitimate users are going to run it on a Raspberry Pi 1 with an ancient browser that only runs wasm through a javascript polyfill.
Tough to make up for a 1000x performance difference.
Also there is something to be said for generating the password yourself and sending it in clear to your users by email. The reality is that if the attacker has access to your client’s emails, it’s game over anyway because of password recovery. And this way you enforce that your clients will not reuse a password, and will have a strong non brute forceable password. And if you get hacked, at least you didn’t leak that precious password your users reused everywhere else. The only issue I can think of is that’s because smtp is the most neglected protocol of the internet, there is no way to ensure the email will be encrypted in transit.
Use rate limiting instead.
Sorry, but that trust has been burned and I don't see a path to recovery. Support hardware tokens or get off my lawn.
https://www.eff.org/deeplinks/2019/10/twitter-uninentionally... https://techcrunch.com/2018/09/27/yes-facebook-is-using-your...
They couldn't care less about the habits of a nerd on archlinux with ublock, noscript, firefork a vpn, hardware tokens and 2FA everywhere with recovery code split in 7 different location.
I ran into a similar situation (small, growing startup dealing with credential stuffing attacks). We have since implemented a few different solutions, but one of the most successful was rejecting reused passwords at signup using this service [0].
Some other effective solutions include captchas, emailing a verification code, etc. Aggressive rate limiting was not at all successful, as the botnets seem to have endless piles of residential ip addresses to send requests from.
The world desperately needs to move away from username + passwords. Google might seem really pushy right now, but it's simply a trailblazer. My prediction: in a few years every company that handles valuable personal information will behave like what Google is doing today.
the rate-limit and blockage time for attempts should increase ban time/lockout-timer on an exponential time scale the more that a single browser/useragent/browser fingerprint/IP makes incorrect attempts.
yes obviously there are people out there with fully automated systems who will try massive lists of commonly used plaintext passwords for authentication if you don't throttle/rate-limit it.
and those people use single browser/single useragent/single browser fingerprint/single IP
the people competent enough to send millions of requests are usually also competent to send hard to detect requests
there are dozens of (free)tools/services offering those capabilities for LEGITIMATE purposes(like scraping)
there is an even bigger underworld market for paid tools for illegitimate purposes
For the end user it is absolutely about collecting additional personal data. My concerns as a user are not the concerns of Alphabet, the company, period.
Google is a public company, just look at their annual reports. Where do they make most revenue? Advertising.
Thus, everything they do is about promoting advertising. It would be naive to think otherwise.
Think of it like using social security numbers to authenticate yourself to the bank. Yes, it's terrible, but it's kind of the only thing that works when done on a massive scale. Yes, you can do better at managing your 2FA credentials, but most users cannot - they struggle even having strong passwords. Phone numbers bridge that security-usability gap. To be clear, this isn't an endorsement of the system (I think the user should be allowed to choose), but rather trying to make sense from an engineering perspective.
The only valid reasons for the latter are (1) to collect your PII and/or (2) because they think that they know better than you and they're going to force you to do a thing because they think it's in your best interests - in other words, a tyrant ruling over a techno-feudalistic society.
If Google was really concerned only for the safety of their users, and not trying to obtain PII for their personal use, they would build an opt-out button, something that would allow users to print out a one-time-use password/encryption key, or register an alternate email address, in lieu of providing a phone number. They don't.
Your explanation doesn't hold water.
It adds an external cost to creating an account. I imagine this is incredibly valuable in fighting spam across all of their services. No coincidence, the phone number requirement is the only reason I don't have several disposable twitter, Facebook, and Google accounts.
It's an email app. There are many other options.
I think it's some sort of state machine glitch that this account feature only becomes available after adding a phone number. I couldn't come up with any other explanation. And I really hope that the static passwords stay indefinitely because the XOAUTH extension for IMAP is brittle, hostile to open-source software because of the API key requirement, and does not add security anyway. (I wouldn't mind manually rotating the passwords once per quarter, though.)
How so? The most realiable one is email, as it doesn't need to be tied to any third party so it can exist a lifetime.
I've had the same email since the mid 90s. I've had probably a dozen or more phone numbers in that timeframe. A handful of which are still tied to various company accounts even though I've long since haven't had any acces to those phone numbers.
Welcome to the club. The fastest way to convince me *not* to use a product is to attach a "Google" label to it. Nothing Google has to offer justifies the drawbacks.
NOTE: I do use an Android phone --- but only after it has been thoroughly de-Googled --- starting from a stripped down, bare metal device that won't even power up.
You're going to have to explain to me. Particularly the "starting from a stripped down, bare metal device that won't even power up. Because this sounds excessive and a bit over the top.
I haven't found a service that functions as well as Google Photos. She takes pics and I take pics, and we have a shared account that backs it all up without any messing about. I have done precisely ZERO tech support for my wife since buying this service and phones and I will probably never leave.
I myself tried to power off the device. Holding the lock button actually didn't show a power off menu, it opened Google assistant. As far as I can tell the only way to turn off the phone was to say "Turn off" to the assistant.
Any of the personal cloud things - Nexcloud, Owncloud, Seafile, Syncthing and others - can be used to sync files - and with that photos and videos - from mobile devices to some server somewhere. This can be the server-under-the-stairs, your NAS at home, a wall-wart with a Raspberry Pi and a drive taped together, a VPS or a commercial entity offering these as SaaS. You can keep using your phones with or without Google, that is up to you. If you run the stuff yourself you'll need to install and configure the parts which make it work, if you use a commercial instance you just have to install the relevant app and tell it to sync your data. You can do this in parallel to using Google Photos, just to make sure you have a backup in case Google wants just that one extra piece of personal data to allow you to access your photos which makes you give up on them. Just one more piece... and one more please...
These predictable responses don't add any value whatsoever, and they're tiring to read.
I wish HN would auto-remove these BS comments about BS comments. They're so tiring and boring...
Google hates open protocols. Don't let their claims of OAuth being open fool you. They don't use OAuth, they use OAuth 2 which is the mega-corp version shoved down the IETF's throat where every single corporate implementation is different and not-interchangable. You need a different OAuth2 plugin for every mega-corp.
I have thoughts of running my own mail server, but a lot of sites just won't let you create an account if you don't provide «trusted» email, and by «trusted» most of the time they mean gmail.
While email may be open it was designed in a pre-spam era and we've been fighting the oversights ever since.
Screw you, Google, you're not getting my phone number.
I asked one of my friends with faster internet to do that for me but google blocked an attempt to login with correct username and password.
Afterwards, yes, you have the TOTP secret available for use in any tool you want - but I am repeating myself.
From google's perspective, they're looking at a change which reduces phishing and scams by some small percent, and impacts a minuscule fraction of their users.
Abuse, scams, phishing, and forgotten passwords are all significant problems which phone numbers help with. I'd be willing to bet these changes end up having an on net positive impact for google's users.
How many phishers do you think will be stopped by removing an insecure login flow? How many people do you think want to use insecure apps, but don't have a phone number and refuse to login to their google account on their phone?
I actually don't know. Do you have any numbers?
"OAuth for Gmail is supported via the quick setup wizard. The Android account manager will be used to fetch and refresh OAuth tokens for selected on-device accounts. OAuth for non on-device accounts is not supported because Google requires a yearly security audit ($15,000 to $75,000) for this. You can read more about this here [2]."
1. https://github.com/M66B/FairEmail/blob/master/FAQ.md#user-co... 2. https://www.theregister.com/2019/02/11/google_gmail_develope...
So it maybe works, or maybe not, because they're not paying Google for the security audit.
the SS7/PSTN is horribly broken.
SMS based "2FA" is not actual 2FA
Working in the telecom industry I've seen the pressures that first tier phone service reps are under and how they can be socially engineered, if someone is in possession of enough pieces of a person's identity already, to issue a new SIM or port out a number.
Of course, the real solution is to remove the leverage Google has on you so that a ban is no longer a problem.
And I hope they will never ever again ask me to confirm anything using that number.
Or, you know, stop fucking using google.
I have an important Gmail account where I recently had to change the password (because the only password set several years ago didn’t work). Since it was important, I didn’t want to risk the account becoming inaccessible and hence provided my phone number as the recovery number. After changing the password through a browser, the iOS Mail app complained that the password for this account is invalid and that I should enter it. So I go there and flow through the Google login pages (since this is setup as a Google account), and then it repeatedly tells me that it’s incorrect and that I should recover my account. Visiting the recover account page tells me that it cannot help me at this moment!
I’m furious at how stupid Gmail (and the people in Google writing this application) can be. I haven’t accessed that account over the last few days and am hoping I can get back in after the Google bots have cooled down. I have no idea what I can do if that account becomes permanently inaccessible because some “machine learning” algorithm messed things up. :(
I’ve decided to close my Gmail accounts (these were old ones) if I can manage to download the data from those.
This is a prime example of using dark patterns to achieve a short term goal at the cost of creating a world none of us want.
We must all remain vigilant of this trap both as creators and as users.
I applaud you for calling it out. I wish there was something more we could do about it.
The real head scratcher for me here though is that you are fine with Google hosting all of your emails and whatnot but knowing the phone number is a huge problem? If you do not trust Google with your phone number it seems like going with another email service would probably already be a good decision.....
Get a Fastmail account, I got one after I got tired of google breaking my IMAP settings every other week. They're cheap, they have most everything you'd need from an email provider, and they don't require a special app like proton.
I share your sentiment, but I opted for Fastmail because the effort wasn't worth the savings. YMMV, obviously.
The big email providers have basically built a walled garden around email by blocking anyone outside the garden as spam. They have no incentive to open the system to people who run their own email.
on a serious note, it's annoying how fundamentalists eventually keep getting shit right because of idiots in power fulfilling their prophecies (daniel sloss had a nice comedy skit on this)
I suppose that on a time scale of thousands of years, a lot of analytical methods break down (and certainly it would be hard to start any new experiments which take that long to complete), but I think that epistemological bonus points should go to anyone whose interpretation of a prophecy guessed the correct ~50 year period for its fulfilment roughly 1800 years in advance.
One point is that app passwords can be a security issue in itself. If you have one the security page on Google alerts you with a big flashy yellow exclamation point and recommend you you to remove it. I did it, broke my email and took a few days to connect the dots, recreate a new app password and setup email again.
I think the problem they have is that mail clients don't do oAuth. So you always have that security weak link if you need IMAP/pop access.
If your phone gets taken by the police (or stolen), with an authenticator app or sms they can get into your account easily but you're locked out.
A hardware key is the way to go but even then there's no guarantee the police wouldn't take that as well, and most people think having an app on their phone is enough.
And 'email alerts' are even worse, if someone has taken your computer and has complete access to your accounts, an email saying "is this you?" is just gonna make them laugh.
So every account I setup, I have to temporarily provide my phone number to enable 2FA, then setup authy, and then delete my phone number. Obviously Google now knows who the real user is, but I haven't been creating additional accounts to be secret. That doesn't excuse the system, but it's not more than a small hassle for me.
Yes, I do have session in my browser and I would use it as a second factor to manually approve every login to my account from my browser if I had option to do that, but Google doesn't allow that. You can only confirm logins from android or apple device.
Not true in multiple ways.
"Less secure apps" are ones that don't support OAuth. There are plenty of third party email apps that are not considered "less secure apps". E.g Thunderbird or Outlook, or iOS Mail work perfectly fine, as many others.
You can use u2f keys as second factors and don't need to add your phone number as a second factor nor as a recovery phone, as my Google account.
I also get a call, every day, precisely at 9:04am, from random numbers matching the first 6 digits of my phone number.
Protecting my phone number is a dead effort on my end.
What if someone secretly have your password and enable 2FA? The addition of the 2nd factor of auth is a big deal and the process should be as secure as possible.
One day the CEO gets SIM swapped over night...until that day nothing will change.
What HN shows is that a non-trivial amount of peoples entire life is focused on exploiting others inadequacies and this exploitation is portrayed as "normal" by those who profit and abormal by those who now see how invasive ad companies become.
Letting your child sit through an ad is akin to child abuse in my head. Like taking them to a church.
"You laugh because I'm different.
I laugh because you're *normal."